Remove TLS 1.2 Exporter if we don't have randbytes
The TLS-Exporter in TLS 1.2 requires client_random and server_random.
Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored
after the handshake is completed.
Therefore, mbedtls_ssl_export_keying_material() exists only if either
MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2
is *not* defined.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 779dab6..3da4eca 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -5786,11 +5786,13 @@
*
* \return 0 on success. An SSL specific error on failure.
*/
+ #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2)
int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
uint8_t *out, const size_t key_len,
const char *label, const size_t label_len,
const unsigned char *context, const size_t context_len,
const int use_context);
+#endif
#ifdef __cplusplus
}
#endif
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3e85254..971821a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -10054,6 +10054,9 @@
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
const mbedtls_md_type_t hash_alg,
@@ -10106,7 +10109,7 @@
mbedtls_free(prf_input);
return ret;
}
-#endif
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
@@ -10134,7 +10137,7 @@
(const unsigned char *) label, label_len,
context, context_len, out, key_len);
}
-#endif
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
uint8_t *out, const size_t key_len,
@@ -10173,4 +10176,6 @@
}
}
+#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) */
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 27a674f..8f7ae04 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -347,7 +347,11 @@
" in the form of base64 code (serialize option\n" \
" must be set)\n" \
" default: \"\" (do nothing)\n" \
- " option: a file path\n"
+ " option: a file path\n" \
+ " exp_label=%%s Label to input into TLS-Exporter\n" \
+ " default: None (don't try to export a key)\n" \
+ " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
+ " default: 20\n"
#else
#define USAGE_SERIALIZATION ""
#endif
@@ -402,10 +406,6 @@
" read_timeout=%%d default: 0 ms (no timeout)\n" \
" max_resend=%%d default: 0 (no resend on timeout)\n" \
" skip_close_notify=%%d default: 0 (send close_notify)\n" \
- " exp_label=%%s Label to input into TLS-Exporter\n" \
- " default: None (don't try to export a key)\n" \
- " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
- " default: 20\n" \
"\n" \
USAGE_DTLS \
USAGE_CID \
@@ -2574,6 +2574,7 @@
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if (opt.exp_label != NULL && opt.exp_len > 0) {
unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int));
if (exported_key == NULL) {
@@ -2596,6 +2597,7 @@
mbedtls_printf("\n\n");
fflush(stdout);
}
+#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) */
/*
* 6. Write the GET request
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 3bcee9a..538d0d0 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -473,7 +473,11 @@
" in the form of base64 code (serialize option\n" \
" must be set)\n" \
" default: \"\" (do nothing)\n" \
- " option: a file path\n"
+ " option: a file path\n" \
+ " exp_label=%%s Label to input into TLS-Exporter\n" \
+ " default: None (don't try to export a key)\n" \
+ " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
+ " default: 20\n"
#else
#define USAGE_SERIALIZATION ""
#endif
@@ -521,10 +525,6 @@
" event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \
" read_timeout=%%d default: 0 ms (no timeout)\n" \
- " exp_label=%%s Label to input into TLS-Exporter\n" \
- " default: None (don't try to export a key)\n" \
- " exp_len=%%d Length of key to extract from TLS-Exporter \n" \
- " default: 20\n" \
"\n" \
USAGE_DTLS \
USAGE_SRTP \
@@ -3656,6 +3656,7 @@
mbedtls_printf("\n");
}
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if (opt.exp_label != NULL && opt.exp_len > 0) {
unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int));
if (exported_key == NULL) {
@@ -3678,6 +3679,7 @@
mbedtls_printf("\n\n");
fflush(stdout);
}
+#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALZIATION) */
#if defined(MBEDTLS_SSL_DTLS_SRTP)
else if (opt.use_srtp != 0) {